/* qitest1's security advisory #001 */ Buffer Overflow in TIAtunnel-0.9alpha2 +Systems Affected Any system running TIAtunnel-0.9alpha2 +Program Description TIAtunnel is a simple IRC bouncer that allows access from a simple IPv4 box to any kind of well-known server. It has been written by tHE rECIdjVO <recidjvoat_private>, http://tiatunnel.pkcrew.org/. +Vulnerability And Impact A remote attacker can overflow a buffer and execute arbitrary code on the system with the privileges of the user running TIAtunnel. Infact in auth.c at line 28 we have: struct tunnel *auth_conn(int *csock, int entries) { char authline[512]; /* static char buf */ struct tunnel *t_current; int i = 0; // Read one line from the client bzero(authline, 512); while((authline[i - 1] != '\n') && (authline[i - 1] != '\r') && (i < 1024)) { /* 1024?! =) */ read(*csock, (authline + i++), (size_t)1); } +Solution Author was contacted. Upgrade your version of TIAtunnel. +Exploit This bug can be succesfully exploited by a remote attacker. There is a demonstrative exploit code attached to this advisory. See the code for more info. -- /* qitest1 http://qitest1.cjb.net * * ``Ut tensio, sic vis. 69 tecum sis.'' * * main(){if(unsatisfied == 69) try_come(in);} */
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 10:05:05 PDT